Merge pull request #141 from fangge1212/amd_sev_snp

OCPCLOUD-3072: Add support for AMD SEV-SNP

Author: openshift-merge-bot[bot]

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0
-	github.com/openshift/api v0.0.0-20250710004639-926605d3338b
+	github.com/openshift/api v0.0.0-20251009093019-7837a801e8c1
 	github.com/openshift/library-go v0.0.0-20250711143941-47604345e7ea
 	github.com/openshift/machine-api-operator v0.2.1-0.20250721183005-388c07321caf
 	k8s.io/api v0.33.3

go.sum

@@ -335,8 +335,8 @@ github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
 github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
-github.com/openshift/api v0.0.0-20250710004639-926605d3338b h1:A8OY6adT2aZNp7tsGsilHuQ3RqhzrFx5dzGr/UwXfJg=
-github.com/openshift/api v0.0.0-20250710004639-926605d3338b/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM=
+github.com/openshift/api v0.0.0-20251009093019-7837a801e8c1 h1:YDyN6zwe8H/bdYAp3kQekpjknSAGK4CjKOfYtk3261M=
+github.com/openshift/api v0.0.0-20251009093019-7837a801e8c1/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM=
 github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee h1:tOtrrxfDEW8hK3eEsHqxsXurq/D6LcINGfprkQC3hqY=
 github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee/go.mod h1:zhRiYyNMk89llof2qEuGPWPD+joQPhCRUc2IK0SB510=
 github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250718085303-e712b1ebf374 h1:ldUi0e64kdYJC2+ucB24GRXIXfMnI3NpSkcnalPqBGo=

pkg/actuators/machine/instances.go

@@ -468,6 +468,7 @@ func launchInstance(machine *machinev1beta1.Machine, machineProviderConfig *mach
 		MetadataOptions:                  getInstanceMetadataOptionsRequest(machineProviderConfig),
 		InstanceMarketOptions:            instanceMarketOptions,
 		CapacityReservationSpecification: capacityReservationSpecification,
+		CpuOptions:                       getCPUOptionsRequest(machineProviderConfig),
 	}
 
 	if len(blockDeviceMappings) > 0 {
@@ -709,3 +710,26 @@ func getCapacityReservationSpecification(capacityReservationID string) (*ec2.Cap
 		},
 	}, nil
 }
+
+func getCPUOptionsRequest(providerConfig *machinev1beta1.AWSMachineProviderConfig) *ec2.CpuOptionsRequest {
+	if providerConfig.CPUOptions == nil {
+		return nil
+	}
+
+	cpuOptions := &ec2.CpuOptionsRequest{}
+
+	if providerConfig.CPUOptions.ConfidentialCompute != nil {
+		switch *providerConfig.CPUOptions.ConfidentialCompute {
+		case machinev1beta1.AWSConfidentialComputePolicySEVSNP:
+			cpuOptions.AmdSevSnp = aws.String(ec2.AmdSevSnpSpecificationEnabled)
+		case machinev1beta1.AWSConfidentialComputePolicyDisabled:
+			cpuOptions.AmdSevSnp = aws.String(ec2.AmdSevSnpSpecificationDisabled)
+		}
+	}
+
+	if *cpuOptions == (ec2.CpuOptionsRequest{}) {
+		return nil
+	}
+
+	return cpuOptions
+}

pkg/actuators/machine/instances_test.go

@@ -16,6 +16,7 @@ import (
 	mapierrors "github.com/openshift/machine-api-operator/pkg/controller/machine"
 	mockaws "github.com/openshift/machine-api-provider-aws/pkg/client/mock"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -1695,3 +1696,53 @@ func TestGetCapacityReservationSpecification(t *testing.T) {
 		})
 	}
 }
+
+func TestGetCPUOptionsRequest(t *testing.T) {
+	testCases := []struct {
+		name            string
+		providerConfig  *machinev1beta1.AWSMachineProviderConfig
+		expectedRequest *ec2.CpuOptionsRequest
+	}{
+		{
+			name:            "with CPUOptions unspecified",
+			providerConfig:  &machinev1beta1.AWSMachineProviderConfig{},
+			expectedRequest: nil,
+		},
+		{
+			name: "with ConfidentialCompute set to AMD SEV-SNP",
+			providerConfig: &machinev1beta1.AWSMachineProviderConfig{
+				CPUOptions: &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+				},
+			},
+			expectedRequest: &ec2.CpuOptionsRequest{
+				AmdSevSnp: aws.String(ec2.AmdSevSnpSpecificationEnabled),
+			},
+		},
+		{
+			name: "with ConfidentialCompute disabled",
+			providerConfig: &machinev1beta1.AWSMachineProviderConfig{
+				CPUOptions: &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicyDisabled),
+				},
+			},
+			expectedRequest: &ec2.CpuOptionsRequest{
+				AmdSevSnp: aws.String(ec2.AmdSevSnpSpecificationDisabled),
+			},
+		},
+		{
+			name: "with ConfidentialCompute unspecified",
+			providerConfig: &machinev1beta1.AWSMachineProviderConfig{
+				CPUOptions: &machinev1beta1.CPUOptions{},
+			},
+			expectedRequest: nil,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := gmg.NewWithT(t)
+			req := getCPUOptionsRequest(tc.providerConfig)
+			g.Expect(req).To(gmg.BeEquivalentTo(tc.expectedRequest))
+		})
+	}
+}